[lwip-users] RE: [lwip] bug in tcp.c

[Recker, John]

One other related problem:

I don't think that the

        memp_free() (tcp.c, tcp_slowtmr(), line 471)

when removing a timed out pcb is a good 
idea as the pcb is still
attached to the connection at this
point resulting in a stale pointer in
the connection...

jr

-----Original Message-----
From: Recker, John [mailto:address@hidden
Sent: Wednesday, February 13, 2002 1:32 PM
To: 'address@hidden'
Subject: [lwip] bug in tcp.c



the following sequence causes a assertion
failure in the 5.0 release. I haven't tried
it in the latest source tree, but I don't see
any changes in any of the relevant code sections
either...



netconn_timeout()
 ... connection times out
netconn_delete()



The problem:

Connect receives no reply, causing timeout in tcp_slowtmr().
This routine removes the pcb from tcp_active_pcbs list.
potentially leaving the list empty. 

        /* If the PCB should be removed, do it. */
        if(pcb_remove) {   (tcp.c ~line 460)

        ...

           tcp_active_pcbs = pcb->next;

it then generates a fault back to the app that the connection
failed.

        pcb->connected(pcb->callback_arg, pcb, ERR_ABRT);


App receives fault, closes connection, which results in 
netconn_delete() being called, which evtually calls
tcp_close(), which if state == SYN_SENT, then 
calls 

        tcp_pcb_remove(&tcp_active_pcbs, pcb); (tcp.c, line 98) 

which will assertion fault if tcp_active_pcbs is empty.




Solution?

Either tcp_pcb_remove() should test for tcp_active_pcbs == 0
rather than asserting, or tcp_close() should test prior to 
calling tcp_pcb_remove()


jr
[This message was sent through the lwip discussion list.]
[This message was sent through the lwip discussion list.]